LOL: BabaYaga WordPress Malware Updates Your Site

Security researchers have spotted a malware strain targeting WordPress sites that includes some pretty clever self-preservation techniques, such as removing competing malware and updating the victim’s site.

Named BabaYaga, this malware strain isn’t new, but recent updates have transformed this former low-key player into a considerable foe for WordPress site administrators.

BabaYaga – Russian malware used for SEO spam

The group behind BabaYaga —believed to be Russian-speaking hackers— uses this malware to inject sites with special keyboards to drive SEO traffic to hidden pages on compromised sites. These pages are then used to redirect users to affiliate marketing links, where if the user purchases advertised goods, the hackers also make a profit.

The malware per-se is comprised of two modules —one that injects the spam content inside the compromised sites, and a backdoor module that gives attackers control over an infected site at any time.

The intricacies of both modules are detailed in much more depth in this 26-page report authored by Defiant (formerly known as WordFence), the security firm which dissected the malware’s more recent versions.

“[BabaYaga] is relatively well-written, and it demonstrates that the author has some understanding of software development challenges, like code deployment, performance and management,” Defiant researchers say. “It can also infect Joomla and Drupal sites, or even generic PHP sites, but it is most fully developed around WordPress.”

BabaYaga updates or reinstalls WordPress sites

But the things that stood out the most from BabaYaga’s modus operandi are two functions that will update/reinstall a victim’s site and remove competing WordPress malware.

According to the Defiant team, the reason for these two functions is directly tied to the malware’s ability to inject spam into compromised sites.

“Because so much of the primary functionality of BabaYaga executes alongside WordPress on page load, it requires the application to be working properly,” the Defiant team says. “If something breaks WordPress, then the malicious scripts don’t get executed when a page is visited.”

Hence, the reason the malware wants to keep the victim’s site up to date, so it’s always working properly, without bugs.

Further, the BabaYaga-triggered update/reinstall mechanism isn’t just a second-hand feature put together for the sake of it. The entire sequence of operations has received the group’s full attention, and it’s been carefully assembled, so much so that BabaYaga “even handles the creation and cleanup of backup files, in the event that an upgrade fails.”

BabaYaga scans for and removes competiting malware

This same desire to keep a compromised site error-free is also the reason BabaYaga also scans the infected site and removes other known malware strains.

The thinking is that some of this competing malware might be poorly coded, resulting in page load errors that indirectly lead to situations that might prevent BabaYaga from working.

The rationale is simple: a good parasite wants to keep its host alive

But besides its own selfish reasons for operating without errors, the BabaYaga crew also wants to keep the site without errors for another reason.

That reason is that any site with errors generally draws the attention of its owner, who in his/her efforts to fix the problems might also discover BabaYaga’s files and presence.

All in all, in Defiant’s own words, “BabaYaga is an emerging threat that is more sophisticated than most malware.”

Side note: BabaYaga is not the first malware with a self-contained malware scanning system and kill list. The Shifu banking trojan has exhibited a similar behavior of killing competing malware, along with another low-key coinminer that also killed competing miners.